Configure OpenSSL library to use System Crypto Policy
An XCCDF Rule
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under /etc/pki/tls/openssl.cnf
.
This file has the ini
format, and it enables crypto policy support
if there is a [ crypto_policy ]
section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config
directive.
Rationale
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.
- ID
- xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
Remediation - Ansible
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
Section
ansible.builtin.find:
paths: /etc/pki/tls
patterns: openssl.cnf
contains: ^\s*\[\s*crypto_policy\s*]